Cloud Computing Global

Impact and Compliance

Cloud Strategy Partners, LLC

Sponsored by: IEEE Educational Activities and IEEE Cloud Computing

Course Presenters Biography

This IEEE Cloud Computing tutorial has been developed by Cloud Strategy Partners, LLC.
Cloud Strategy Partners, LLC is an expert consultancy firm that specializes in Technology
and Strategy relating to Cloud Computing.

IEEE eLearning Library

Cloud Computing Global Impact and Compliance

Transcript pg. 2 / 16

Course Summary

In this tutorial we will review the global character of cloud including both opportunities and
problems. We will also review the geographical distribution of major cloud providers as well
as examine interoperability, compatibility, and portability. We will also discuss cloud security
and compliance with a focus on compliance standards and cloud certification and auditing.
We will review an example Cloud PCI DSS compliance analysis and finally, discuss cloud
dependability and security with a focus on incident response and eDiscovery.

IEEE eLearning Library

Cloud Computing Global Impact and Compliance

Transcript pg. 3 / 16

Transcript

Course Outline
In this Lesson we will cover the following topics:

Global character of cloud: opportunities and problems

Geographical distribution of major cloud providers

Interoperability, compatibility, portability

Cloud security and compliance

o Compliance standards
o Cloud certification and auditing

Example: Cloud PCI DSS compliance analysis

Cloud dependability and security

o Incident Response and eDiscovery

Take away and further reading

Global Nature of Cloud Computing

Cloud Computing is Global in Nature, because one connects to Clouds using the Internet and
therefore any Cloud can be accessed by essentially anywhere the Internet goes. This further
maximizes the economical and operational benefits of Cloud Computing, because the Worldwide web scale adds more to the economy of scale by combining cyclical workload around
the globe.
Global scale, Global character means that Cloud Computing is Crossing borders, operating in
different law and regulation environments. Applications running on Clouds may be quite
simple and encounter no issues from running in one country while serving another one.
However many Cloud based applications are complex, storing data and processing
commerce, and so Global issues are encountered.
These issues are a result of the requirement imposed by the global nature of Clouds, and the
inherent technological heterogeneity of Clouds in other words, the very economics and
design of Clouds, tends to make Clouds operationally the same in all of their datacenters
around the world, they do not vary by each and every country, whereas some countries have
requirements specifically for that country.

IEEE eLearning Library

Cloud Computing Global Impact and Compliance

Transcript pg. 4 / 16

Transcript

Changing global network/telecom landscape

The Changing global network and telecom landscape is occurring in parallel with the
emergence of Cloud Computing, and as a result there is a high degree of bilateral influence
between these two evolutionary factors.
For the Telecoms companies, while it was a huge move for them to grow from a fixed line
voice provider to a data provider, and now to a Mobile provider, it is yet another huge step for
them to move into this world of planetary size computing and storage. Even more so they
need to consider Global reach, delivery areas/regions, and also the new scope/view of the
last mile problem in delivering cloud based services to customers.
For the Cloud providers, they are so big that they now have their own worldwide networking
infrastructure. It is more efficient for them to run their own network than to lease from a
Telecommunications provider. They use this network to deliver their own services as well as
to transit customer data.

Rise of Hyper giants changing landscape of Internet

In its way the Hyper giants are changing landscape of Internet. The illustrations show that
for a long time, the Internet (as far as backbone/transit is concerned) had telecommunications
providers moving most of the worldwide traffic.
Now, the very largest software and services companies, all of whom offer Cloud services
and/or applications, are moving most of the Internet data themselves. They are also setting
up their own Content Distribution Networks (CDNs) to further eliminate expenses with third
party CDN providers.

Case Study: Content Delivery Networks (CDN)

So now let us take a look at Content Delivery Networks (CDN). Originally these companies
(Akamai, Limelight, Level 3, etc.) would charge owners of content (typically large web sites)
to cache their content all over a geography, so pictures and video would download quickly,
being close to the actual end user. This also avoided the web site owner for having to pay
their co-location or transit provider over and over again for people downloading the same
content from the site.
Now, the mega-providers are essentially moving their own content on their own Internet
segments. The slide show how this adds up.

IEEE eLearning Library

Cloud Computing Global Impact and Compliance

Transcript pg. 5 / 16

Transcript

Cloud penetration and use: Developing countries

Next consider the impact of Cloud Computing on developing countries. Cloud services of
different types are available worldwide due to their Internet based nature.
As a result, suddenly developing countries have access to sophisticated software which they
didnt have before Clouds. On mobile devices they have Apps (which are almost all Cloud
based) and for businesses a wide variety of SaaS applications.
Still it is a big jump for an individual or business to utilize advanced software, they need to
have a certain maturity level, business culture with regard to using software, and also they
need to be aware of and comply with local policy and legislation.

The 2013 Business Software Alliance Global Cloud Computing

Scorecard
The 2013 Business Software Alliance Global Cloud Computing Scorecard report ranks
countries preparedness to support the growth of cloud computing. The 24 countries are
included which together account for 80 percent of the global information and communication
technologies (ICT) market.
Several categories of Cloud Readiness are examined: Ensuring privacy, Promoting security,
Battling cybercrime, Protecting intellectual property, Ensuring unrestricted or simply regulated
data move, harmonization of international regulations, and Existence of the necessary IT
infrastructure.

BSA: International policy landscape for cloud computing shows cloud

readiness
The results of the BSA study show that the International policy landscape for cloud computing
shows cloud readiness. Of the 24 countries reviewed, 12 countries were identified with the
best scores for cloud readiness, these are listed on the slide.

Geographical Availability
The Cloud Service providers, then, have arranged their Geographical Availability to best
support the global footprint. Cloud Service Providers infrastructure is geographically
separated on regions, availability zones, points of presence. We will look next at details of
several major providers geographic footprint strategies.

IEEE eLearning Library

Cloud Computing Global Impact and Compliance

Transcript pg. 6 / 16

Transcript

Amazon AWS availability worldwide

This slide shows the global infrastructure of Amazon AWS.
Amazon allows developers to explicitly locate use of their cloud in Regions. They have 9
regions. Within a region, there is the concept of multiple Availability Zones. These are meant
to be separate facilities, with separate power and network and even with some distance
between them. Running your code in two availability zones within a region is a high
availability strategy. In theory if a power company or network provider has a problem, the
other availability zone will be unaffected and if you have structured your service deployment
correctly, the other availability zone could handle everything.

Microsoft Windows Azure global footprint

This slide shows the global infrastructure of Microsoft Windows Azure. Windows Azure uses
a slightly different scheme for high availability but they too have a redundant and
geographically distributed footprint. Microsoft has a very extensive CDN capability integrated
with Azure.

Google Edge Points of Presence

Google is more secretive about their precise datacenter locations and facilities and prefers to
publish more about their Points of Presence. However it is know that they have datacenters
in many locations and several of these are listed on the slide.

Challenges and issues as a result of the global nature of clouds

With such massive providers, each with Global reach, but each with different services, gives
rise to challenges and issues as a result of this global nature. Challenges include:

IEEE eLearning Library

Interoperability

Compatibility

Integration

Localization

Portability

Mobility

Security and Compliance

Dependability

Incident Handling (eDiscovery)

Cloud Computing Global Impact and Compliance

Transcript pg. 7 / 16

Transcript

Interoperability factors and approaches:

Standardization

Best practices

Industry Whitepapers

Supporting developers community

Interoperability testing

Certification

The global cloud computing landscape has a long way to go to catch up with the consistency
and interoperability of the Telephone or the Internet, that is for sure

Application Portability
One of the main issues in the cloud landscape is the lack of portability across clouds. That is,
the methods and interfaces one uses to put services on a particular vendors cloud are in
almost all cases quite different for a different vendors cloud. There are issues in

VM migration (Hybrid Cloud Bursting)

Data portability

Network portability

Security portability

Security and Compliance

Another concern is the Security and Compliance of Cloud systems. Security is commonly
defined as a set of technical, physical, and administrative controls in order to ensure normal
operation of a system or application. Compliance is a certification or confirmation that the
system or an organization meets the requirements of specified standards, established
legislation, regulatory guidelines or industry best practices that can be jointly defined as
compliance framework.
Why they are particularly important for cloud? When moving to cloud, the organization moves
from internal security and operational environment/context (that may not be formally defined)
to external operational security that will become a part of SLA (or business requirement) with
CSP.

IEEE eLearning Library

Cloud Computing Global Impact and Compliance

Transcript pg. 8 / 16

Transcript

Regulatory requirements to be considered for cloud compliance

There are SO MANY Regulatory requirements to be considered for cloud compliance
depending on the geographical requirements as well as the industry. This slide lists most of
them.

Mapping Compliance and Cloud Infrastructure Components

This illustrates relations between cloud based customer applications infrastructure and the
main security controls applied to cloud infrastructure functional components. All this is to
comply with different security and other regulations. Compliance domains include:
General Information Systems and IT regulations
Government
Finance
Healthcare
Energy Application and infrastructure layers include
Public/Private/Hybrid cloud infrastructure and/or platform provided by Cloud Service
Providers
Customer cloud based applications and infrastructure that may include multiple clouds and
can treated as inter-cloud
Enterprise or end user clients and IT infrastructure
The diagram also shows a number of security control or functionalities that works at different
layers of the cloud based infrastructure. Consistent security compliance can be achieved
when combining all components and addressing at all layers starting from strong cloud
platform security supported by consistent security keys and session management that bind all
security services/properties to platform security and integrity continuing through applications
security layer that includes network security, access control, policy management and data
security. And finally, its supported by corresponding security measures in enterprise IT
infrastructure.

Security and Compliance Questions

When considering Cloud and Cloud applications, there are Security and Compliance
Questions auditors would ask you. They are good questions to ask of yourself!:
Where is our data going to reside?
Who is going to look after it?
Who is going to be able to see it?

IEEE eLearning Library

Cloud Computing Global Impact and Compliance

Transcript pg. 9 / 16

Transcript

Is it going to be the people that manage the infrastructure for us?

Is it going to be internal and external people?
And if we use a public cloud how secure is that cloud platform for us?
Is the cloud going to be segregated from other organizations data?
Having well considered answers will help with a safe and reliable Cloud initiative regardless
of whether a formal audit is going to be done or not

Case study: Certification/Compliance by Amazon AWS Cloud

So how do the major cloud providers stack up? Quite well actually. The AWS cloud
infrastructure has been designed and managed in alignment with regulations, standards, and
best-practices including:
ISO/IEC 27001:2005 SOC 1, SOC2, SOC3 FIPS 140-2 CSA PCI DSS Level 1 HIPAA ITAR
DIACAP and FISMA FedRAMP (SM) MPAA
Amazon Cloud is certified for hosting US Governmental services

Case study: Certification/Compliance by Microsoft Azure

Microsoft services/infrastructure meets the following key certifications, attestations and
compliance capabilities
ISO/IEC 27001:2005 Certification on security infrastructure SOC 1 (SSAE 16/ISAE 3402) and
SOC 2 and 3 (AT 101) Obtained in 2008 and 2012 Cloud Security Alliance (CSA) Cloud
Controls Matrix NIST SP 800-144 Guidelines for Security and Privacy in Cloud Computing
PCI Data Security Standard Certification level 1 HIPAA and HITECH FISMA Certification and
Accreditation since 2010 Various state, federal, and international Privacy Laws(95/46/EC,
e.g. EU Data Protection Directive, California SB 1386, etc.)

EU Regulations on Cloud Computing

Europe has been active in establishing its own profiles for security and compliance.
It published two main documents in 2012: Unleashing the Potential of Cloud Computing in
Europe, and Protection of individuals with regard to the processing of personal data and on
the free movement of such data (General Data Protection Regulation) A comprehensive EU
cloud regulation framework to fully emerge by 2015.

IEEE eLearning Library

Cloud Computing Global Impact and Compliance

Transcript pg. 10 / 16

Transcript

European Cloud Computing Strategy (2012+)

In September 2012, the European Commission adopted a strategy for Unleashing the
Potential of Cloud Computing in Europe. Key Action 1: Cutting through the Jungle of
Standards Key Action 2: Safe and Fair Contract Terms and Conditions Key Action 3:
Establishing a European Cloud Partnership to drive innovation and growth from the public
sector. This was met with mixed reactions from the major cloud players in Europe (e.g.,
Microsoft, HP, IBM).

Highlights: EU Data Protection Regulation

One area which Europe is strong on is applying the Data Protection regulations it has to the
Cloud. In the EU Data Protection Regulation, Everyone has the right to the protection of
personal data. Furthermore, persons or organizations which collect and manage your
personal information must protect it from misuse and must respect certain rights of the data
owners which are guaranteed by EU law. There is also a Right to be forgotten (RTBF) this is
a complex issue for global cloud infrastructures and all information collected on the web and
mobile applications.

PCI DSS Cloud Computing Guidelines

One area that is quite solid regarding Cloud Computing and security are the regulations
around processing credit card data on a Cloud based application. The credit card situation is
unique in that credit card companies carry a certain risk directly in credit card fraud and
misuse. To mitigate this, they require that any business wanting to contract with a credit card
processing service bureau have a PCI DSS compliance attestation done by an independently
accredited auditor.
The document Information Supplement: PCI DSS Cloud Computing Guidelines has been
published in February 2013 and gives very specific requirements and details of common
deployment and service models for cloud environments, including how implementations may
vary within the different types. It also discusses Cloud Provider/Cloud Customer
Relationships responsibilities for individual PCI DSS requirements PCI DSS Compliance
Challenges.

Audience: Involved Parties/Stakeholders

Security and Compliance has several Involved parties/stakeholders. Merchants must be able
to achieve their compliance obligations while using cloud services Individuals have an
expectation that their personal information will be protected and used appropriately

IEEE eLearning Library

Cloud Computing Global Impact and Compliance

Transcript pg. 11 / 16

Transcript

Cloud service providers must have clear mechanisms to evaluate and communicate
capabilities Regulators and industry governing bodies need to have confidence that their
requirements are met and verified.

Example: Controls Assignment for Different Cloud Service Models (PCI

DSS)
The illustration on this slide shows example controls assignment for different cloud service
models (PCI DSS).
While Data is always responsibility of the customer/client, the CSP facility / infrastructure
must be certified/compliant with PCI DSS and relevant standards

Example: PCI DSS Responsibilities Sharing

Here is additional detail around PCI DSS Responsibilities sharing

Segmentation Considerations
You might have noticed from some of the previous slides that Segmentation is a key concern
for PCI. Segmentation means that machines and networks and storage which carry credit
card information must be separated from other general purpose IT assets.
In classic IT system this meant different servers, different storage boxes, and different
networks in the case of network initially actual separate physical networks joined at only
specific locations with tightly controlled firewalls. Eventually compliance experts became
comfortable with network segmentation based on VLANS.
In the Cloud environment with more and more virtualization of resources, it is impossible to
apply the same segmentation rules. While different techniques maybe used (as in the VLAN
example) Segmentation on a cloud based infrastructure must ensure similar level of
segmentation as with physical infrastructure. Mechanisms to ensure appropriate
segmentation may be applied at the network, operating system and application layers.
The slide details some Examples of correctly segmented cloud environments, and also
details Examples of not correct segmentation

Segmentation Technologies
In order to satisfy the requirement of segmentation in a virtualized environment, without the
ability to have separate physical infrastructures (physical servers, networks, storage etc.)

IEEE eLearning Library

Cloud Computing Global Impact and Compliance

Transcript pg. 12 / 16

Transcript

compliance professionals have agreed, techniques taking into consideration the virtual
environment are needed.
Some of these are: Physical firewalls and network segmentation at the infrastructure level,
especially for the management network Firewalls at the hypervisor and VM level VLAN
tagging, in addition to firewalls Software Intrusion prevention system at the hypervisor layer
Data loss prevention tools at the hypervisor and/or VM level Controls to prevent out-of-band
communications Isolation of shared processes and resources from client environments
Segmented data storage for each client Strong, two-factor authentication Separation of duties
and administrative oversight Continuous logging and monitoring of perimeter traffic

PCI DSS Application Compliance Challenges - Examples

It is one thing to be the Cloud Service Provider and create a PCI DSS. compliant
infrastructure, it is another thing to also have the application on top of that cloud be PCI DSS
compliant. The application does not get a free ride to compliance just because the
underlying platform has compliance. Auditors will expect all layers which touch credit card
information to be scrutinized.
However, Clients may have little or no visibility into the CSPs underlying infrastructure and
the related security controls. And Clients may have limited or no oversight or control over
cardholder data storage. It can be challenging to verify who has access to cardholder data
processed, transmitted, or stored in the cloud environment.
Additionally, there may be other challenge areas, as the slide indicates.
Finally, Most large providers do not support right-to-audit for their clients.

What does PCI DSS Compliance means?

Continuing on the PCI DSS challenge, there are additional technical considerations between
the infrastructure and the application.
May applications will transfer to the cloud using IaaS, which means they bring along their own
operating system. ACSPs validation may have included use of up-to-date anti-virus software
on the CSPs systems; however, this validation might not extend to the individual client OS or
VMs (such as in an IaaS service). The application deployment must ensure its own operating
system patches and virus software is up to date. SLA and all agreements should clearly
delineate responsibility between parties. All this said, compliance relies in the end on two
key concepts.

IEEE eLearning Library

Cloud Computing Global Impact and Compliance

Transcript pg. 13 / 16

Transcript

First is, the entire environment, from underlying hardware and management, to the cloud
infrastructure, to everything the developers bring to make the application come alive, all of
this must be considered. Any open issues need to have a mitigating control applied, which
can be a manual check, an additional procedure, or a risk analysis with a regular sign-off
indicating the organization is aware of the issue and has determined it to be of minimum
concern.

Dependability
Now we will examine a closely related concept to security and compliance, called
dependability. Dependability is a system property that reflects the extent of the users
confidence that it will operate as users expect and that it will not fail in normal use. As
clouds become a mainstream technology, dependability of cloud based infrastructure and
services become more critical. In systems engineering, dependability is a measure of a
system's availability, reliability, and its maintainability.

Dependability: Principal Properties

Dependability can be decomposed into Principal Properties as following:
Availability--The probability that the system
Reliability--The probability that the system will correctly deliver services as expected by users
will be up and running and able to deliver useful services to use
Safety--A judgment of how likely it is that the system will cause damage to people or its
environment.
Security--A judgment of how likely it is that the system can resist accidental or deliberate
intrusions.

Dependability, Reliability and Failure protection

Applications can have significant enhancements to their Dependability, Reliability and Failure
protection depending on how the system manager chooses to deploy them, and what
limitations there might be in their structure to allow for some of these changes.
One Method to achieve system dependability is when using IaaS at the VM level, through VM
replication. There are multiple approaches within replication. One way is snapshotting. The
application can be snapshotted (including working memory) and that image saved. It may

IEEE eLearning Library

Cloud Computing Global Impact and Compliance

Transcript pg. 14 / 16

Transcript

even be saved to a different availability zone. Some IaaS systems or tools support IP address
fixups in snapshots to support exporting them to a different availability zone. If the original
application fails (or that whole datacenter / availability zone fails then there is watchdog
software which reconstitutes the snapshot image in that new availability zone. Local DNS or
Load Balancer may have to be reconfigured to point traffic to this other location.
Another Method is called replication, where there are multiple running instances of the
application sharing some core component like a Database. That Database might be
replicated/clustered across availability zones for example. While both application replicates
are running they share the load. If one replicate dies, the remaining one will handle the lad
while a replacement is being brought up by the watchdog software.
There are many other techniques for increasing Dependability, Reliability and Failure
protection including Memory rejuvenation and also more features from the so-called
watchdog software, which may be an add-on, or may come from the cloud system software
company.

eDiscovery: Definition
Electronic discovery (eDiscovery) was the subject of amendments to the Federal Rules of
Civil Procedure (FRCP), effective December 1, 2006, as amended to December 1, 2010.
It is a more general recognition that many software tools keep electronic records which are
important in legal actions. Emails, Instant Messages, Memos, postings on internal Blogs and
Wikis, are all examples of a widened concept of electronic records.
eDiscovery is the electronic aspect of identifying, collecting and producing electronically
stored information (ESI) Electronic discovery (or e-discovery or eDiscovery) refers to
discovery in civil litigation or government investigations which deals with the exchange of
information in electronic format.
Data are identified as potentially relevant by attorneys and placed on legal hold. Electronic
information is usually accompanied by metadata can play an important part as evidence (for
example the date and time a file was modified can be useful in an analysis).

eDiscovery in Cloud - Challenges

eDiscovery sounds simple enough, but on a Cloud there are challenges. eDiscovery in clouds
is complicated by virtualization and multi-tenancy and have the following challenges
eDiscovery in clouds is complicated by virtualization and multi-tenancy and have the following
challenges:

IEEE eLearning Library

Cloud Computing Global Impact and Compliance

Transcript pg. 15 / 16

Transcript

Complexity and lack of standardization Data export capabilities, including metadata export
Cloud Object Storage is not like a filesystem with filenames and dates Typically cloud tools
are not designed to do arbitrary data export Lack of special tools and applications Cloud
providers may limit access to data only by using their own tools. Especially on Cloud,
applications need to make an eDiscovery plan ahead of time.

Wrap Up and Take Away

Cloud Computing due to its main properties and Internet foundation has a global nature
Global nature of Cloud Computing brings its benefits and impose additional/new challenges:
interoperability, compatibility, portability, security and compliance have new aspects in
international services delivery and data movement
Cloud finds application in critical area of business, healthcare and government. This implies
the whole spectrum of compliance requirements to such systems.
PCI DSS Cloud Computing Guidelines provide valuable analysis and recommendations for
cloud providers and clients on securing their cloud based solutions.
Cloud brings new factors and aspects to cloud based infrastructure dependability, security
and eDiscovery.

IEEE eLearning Library

Cloud Computing Global Impact and Compliance

Transcript pg. 16 / 16